Re: down to the core

To: debian-firewall@lists.debian.org
Subject: Re: down to the core
From: Daniel Pittman <daniel@rimspace.net>
Date: Thu, 29 Jul 2004 15:38:42 +1000
Message-id: <[🔎] 874qnrid99.fsf@enki.rimspace.net>
References: <[🔎] 1090621559.5213.3.camel@jmedina.calcom.com.mx> <[🔎] 20040728092801.3e88b6cd.arnt@c2i.net> <[🔎] 200407280954.30647.h.groene@gmx.net> <[🔎] 200407290142.11978.qwerty@eastlink.ca>

On 29 Jul 2004, James LeClair wrote:
> On July 28, 2004 04:54 am, Harald Gröne wrote:
>
>> You never now potential security holes. So it's a good idea to keep a
>> firewall system as simple as possible:
>>
>> no modules, not initrd, no editor, no shell, just iptables and a firewall
>> startup programm, period.
>>
>> In a non perfect world you need isdn, pppoe, syslog too.
>>
>> The whole system gets small enough to fit on a flash disk.
>>
>> Currently I'm searching for cheap hardware to build fanless firewall
>> systems.
>
> Could you provide some decent documentation/walkthrough on slimming down a
> Debian based router/firewall concistent with your recomendations?

If you are really looking for an embedded firewall solution, I strongly
recommend that you do not go out and build your own.

I have worked with Coyote Linux before (http://www.coyotelinux.com/),
and found it ... irritating as all heck, but it was an embedded system.

I have also used a few others, most of which have died at some point in
the last decade or so.

Getting this sort of thing right is a hard task, and not something that
you should be giving a shot to unless you can take the time to learn to
get it right, or already know it.

Now, I use a standard Debian system[1] for my firewalls, for two main
reasons:

The key reason is that any embedded system is going to be very limited,
in terms of functionality and especially in terms of being able to debug
on it.

This translates into higher incremental costs when your requirements
change, and slower delivery of new features when a business need is
identified.

This is especially true when you start dealing with topics such as VPN
support or the need to install and use packet level debugging tools on
the firewall.

The second, and less important, reason is that these little
distributions often don't have the active support base and development
stream of something like Debian.

If you don't mind doing your own security, maintenance and development,
or you have a *very* targeted system, they are fine. Otherwise, you
carry the liability of longer delays to security patches and the risk of
the distribution folding under you.

Now, none of this says that they are a *bad* thing, just that I don't
like them myself.

You need to make your own call. :)

    Daniel

Footnotes: 
[1]  Admittedly, with a fairly small set of packages installed, but
     still a full blown Debian install.

-- 
A good engineer gets stale very fast if he doesn't keep his hands dirty.
        -- Wernher von Braun

Reply to:

Follow-Ups:
- Re: down to the core
  - From: Mike Sensney <mike@sensney.com>

References:
- Re: down to the core
  - From: Jorge Armando Medina <jmedina@calcom.com.mx>
- Re: down to the core
  - From: Arnt Karlsen <arnt@c2i.net>
- Re: down to the core
  - From: Harald Gröne <h.groene@gmx.net>
- Re: down to the core
  - From: James LeClair <qwerty@eastlink.ca>

Prev by Date: Re: down to the core
Next by Date: Re: down to the core
Previous by thread: Re: down to the core
Next by thread: Re: down to the core
Index(es):
- Date
- Thread